mace-opensaml-users - Re: [OpenSAML] signed SAMLRequest in SOAPMessage
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] signed SAMLRequest in SOAPMessage
- Date: Fri, 24 Apr 2009 11:34:33 -0400
- Openpgp:
- Organization: SWITCH
Review the archives on this list. Signature questions are one of the
most common issues that people run into. The short answer is, you need
to *really* know what your tools are doing. Signatures are incredibly
brittle and there is no easy way to diagnose all the problems you run in to.
wrote:
> Hi,
>
> I am developing a webservice that accepts a SAMLRequest as input and
> returns a SAMLResponse as output to deliver secureTokens (as
> SAMLAssertions).
> The SAMLRequest in the input needs to be signed.
> Generating the signature on clientside and verifying it on serverside is
> easily done with the opensaml API.
> The problem is when I use a JAX-RPC webserviceclient to send the request to
> the webservice (the webservice needs to be callable from different clients).
> When it puts the request into the SOAPBody, it uses another
> namespace-prefix then the one that was set in the original requestdocument
> when it was signed.
>
> when I printout the opensaml SAMLRequest before it is send, I have this
> <Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
>
> the webserviceclient puts this in the body:
> <samlp:Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
>
> which is also valid xml but the signature on the samlRequest is broken now
> (samlRequest.verify() on serverside throws an exception).
>
> Have you guys stumbled on this problem before ?
> How to deal with namespace prefixes in signed samlRequests?
> Is there anything I should do on clientside/serverside before
> signing/verifying?
> I think I can work around this by defining as input of my webmethod a
> simple String in my wsdl instead of the saml request element of the saml
> protocol schema but if possible, I want my interface to clearly define it
> only accepts SAMLRequests.
>
> Kind regards,
>
> Frederik
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- signed SAMLRequest in SOAPMessage, frederik . libert, 04/24/2009
- Re: [OpenSAML] signed SAMLRequest in SOAPMessage, Chad La Joie, 04/24/2009
- Re: [OpenSAML] signed SAMLRequest in SOAPMessage, Xavier Drudis Ferran, 04/24/2009
- RE: [OpenSAML] signed SAMLRequest in SOAPMessage, Scott Cantor, 04/24/2009
Archive powered by MHonArc 2.6.16.